A quick and dirty guide to sshguard on Arch.

Install the package

 pacman -S sshguard

Changing a Simple Stateful Firewall

You need to add two new lines to your iptables.rules. The first rule creates a new table called sshguard where the daemon will insert rules to drop packets from bad hosts. The second rule that will send our SSH traffic there before it's accepted by our original rule. When added to our basic iptables rules, it ends up as such:

vi /etc/iptables/iptables.rules

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:sshguard - [0:0]                #<- THIS ONE

### Service rules

# Allow connections that are already established first.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Accept local traffic
-A INPUT -i lo -j ACCEPT

# Drop all packets with invalid headers or checksum
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Accept all new incoming ICMP echo requests, also known as pings
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

## Port opening
# enable SSH - LOCK THAT SUCKER DOWN with sshguard
-A INPUT -p tcp --dport 454647 -j sshguard               #<- AND THIS ONE
-A INPUT -p tcp --dport 454647 -j ACCEPT

# REJECT EVERYTHING ELSE
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

COMMIT

Edit config files

vi /etc/sshguard.conf

#!/bin/sh
# sshguard.conf -- SSHGuard configuration

#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
BACKEND="/usr/lib/sshguard/sshg-fw-iptables"

# Shell command that provides logs on standard output. (optional, no default)
LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat"


#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30

# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=300

# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=1800


#### EXTRAS ####
# !! Warning: These features may not work correctly with sandboxing. !!

# Colon-separated blacklist threshold and full path to blacklist file.
# (optional, no default)
BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db

# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
WHITELIST_FILE=/etc/friends

vi /etc/friends

# Specify IPv4 addresses to whitelist
192.168.1.100

# Specify DNS hostnames to whitelist
bar.localdomain.local

Services

Restart iptables so we have the sshguard table, then start and enable sshguard so it starts at boot.

sudo systemctl restart iptables
sudo systemctl start sshguard
sudo systemctl enable sshguard

Troubleshoot

Locked Accounts

• Make sure the account isn't locked on the server

┌(foo@server)─(05:37 AM Sun Jun 17)─(~)
└> sudo pam_tally2 -u foo
Login           Failures Latest failure     From
foo                 3    06/17/18 05:59:36  bar.localdomain.local

If it is, reset the accont's tally

┌(foo@server)─(05:37 AM Sun Jun 17)─(~)
└> sudo pam_tally2 -u foo --reset
Login           Failures Latest failure     From
foo                 3    06/17/18 05:59:36  bar.localdomain.local

┌(foo@server)─(05:37 AM Sun Jun 17)─(~)
└> sudo pam_tally2 -u foo
Login           Failures Latest failure     From
foo                 0

sshguard

• Make sure sshguard hasn't blocked your IP

┌(foo@server)─(06:04 AM Sun Jun 17)─(~)
└> iptables -nL sshguard
Chain sshguard (1 references)
target     prot opt source               destination

If it has, reset iptables to clear it

sudo systemctl restart iptables